b'DOE:F 1325.8                                                                                                7\n(08-93)\nUnited States Government                                                           Department of Energy\n\n\nmemorandum\n        DATE:     April 10, 2006\n   REPLY TO\n    ATTN OF:     IG-32 (A05AL045)                       Audit Report Number: OAS-L-06-12\n    SUBJECT:     Audit of Sandia National Laboratories\' Safeguards and Security Path\n                 Forward Management Plan\n\n         TO:     Associate Administrator for Defense Nuclear Security\n\n                 INTRODUCTION AND OBJECTIVE\n\n                 From 2001 to 2003, approximately 500 security-related findings and observations were\n                 identified at Sandia National Laboratories (Sandia) by the Department of Energy\'s Office of\n                 Independent Oversight and Performance Assurance (OA), the National Nuclear Security\n                 Administration\'s (NNSA) Sandia Site Office (SSO), and Sandia\'s self assessments. Sandia\n                 senior management acknowledged the significance of the numerous findings and, in\n                 response to NNSA\'s concern about the state of Sandia\'s Safeguard and Security (S&S)\n                program, Sandia developed the Path Forward Management Plan (PFMP) in October 2003.\n                The purpose of the plan was to return the Safeguards and Security Program to an acceptable\n                and sustainable level of performance. Specifically, Sandia consolidated deficiencies based\n                on their severity and similar causal factors into 78 findings and 349 observations. Sandia\n                scheduled corrective actions for each finding and observation and required individual\n                responsibility for those actions. Additionally, Sandia identified the need to develop 12\n                Management System Standards (MSS), such as the development of security policies and\n                procedures and training programs, to correct the underlying infrastructure causes of observed\n                external findings and internal observations. Sandia planned to complete all corrective\n                actions by November 2004 and the MSS identified in the PFMP by February 2005.\n\n                The objective of this audit was to determine whether Sandia completed all corrective actions\n                and MSS as planned in the PFMP.\n\n                CONCLUSIONS AND OBSERVATIONS\n\n                Although Sandia has made progress in completing actions to correct safeguards and security\n                findings and observations, it did not meet its PFMP schedule to fully implement corrective\n                actions and has rescheduled their completion for September 2006. As of February\n                                                                                                  2006,\n\n                   *   17 of the 78 original external findings remain open, including findings in the areas of\n                       classified matter protection and control, cyber security, program management, and\n                       human reliability; and,\n\x0c        *    110 of the 349 observations remain open, including areas involving information\n             security, protective force guidelines and security systems procedures.\n\n  Additionally, Sandia estimates that it is approximately 63 percent complete in developing\n the MSS and has re-scheduled their completion from February 2005 to December 2007. For\n example, Sandia has not completed planned Management System Standards in the areas of\n documented processes and records, program planning, and lessons learned feedback and\n improvement.\n\n According to Sandia officials they were unable to fully implement their planned schedule for\n corrective actions and developing MSS because:\n\n     *       The corrective actions were more complicated to implement than Sandia had\n             originally expected; and,\n\n     *      Additional time was needed to re-formulate the PFMP into an Annual Operating\n            Plan as required by Departmental guidance.\n\n Although the PFMP is no longer in effect and the corrective actions called for in the plan are\n now contained in the Annual Operating Plan, Sandia continues to fund and track the status\n of the corrective actions. For example, the Annual Operating Plan provides funding to\n implement corrective actions necessary to close out external findings and observations in\n Fiscal Year (FY) 2006. Sandia officials told us that they also plan to fund the\n implementation of the remaining MSS in FY 2007.\n\nIn addition to Sandia\'s efforts to implement and track the status of corrective actions, SSO\nand OA groups monitor its progress in correcting previously identified security findings and\nobservations. For example,\n\n    *       SSO validates the implementation of actions to correct findings before they can be\n            closed and monitors Sandia\'s progress in closing findings and developing MSS\n            standards; and,\n\n    *       OA reviews Sandia\'s progress in closing past findings and evaluates SSO\'s\n            management of Sandia\'s Safeguards and Security improvements.\n\nAs a result of their validating and other reviews, OA and SSO have acknowledged\nsignificant progress in correcting previously identified deficiencies, especially in the area of\nprotective forces.\n\nBased on Sandia\'s continuing efforts to complete corrective actions, as well as the results of\nrecently completed OA and SSO reviews of Sandia\'s progress, we are not making\nrecommendations at this time. However, the Office of Inspector General, Office for\nInspections and Special Inquiries has several open inspections on Sandia security. This\nreport does not address any of those areas currently under inspection.\n\n\n\n                                         2\n\x0c SCOPE AND METHODOLOGY:\n\n We performed work at Sandia National Laboratories in Albuquerque, NM, from August\n 2005 to March 2006. The scope of the audit included findings and observations from 2001\n to 2005.\n\n To accomplish the audit objective, we:\n\n    *   Interviewed Sandia and SSO security officials;\n    *   Reviewed OA and SSO reports;\n    *   Reviewed Sandia\'s FY 2005 Performance Evaluation Report;\n    *   Reviewed Sandia S&S programs, plans and budgets;\n    *   Selected a sample of PFMP findings and assessed how the findings were closed;\n        and,\n    *   Determined the current status of all open PFMP findings.\n\nThe audit was performed in accordance with generally accepted Government auditing\nstandards for performance audits and included tests of internal controls and compliance with\nlaws and regulations to the extent necessary to satisfy the audit objective. Because our\nreview was limited, it would not have necessarily disclosed all internal control deficiencies\nthat may have existed. Additionally, we did not rely extensively on computer-processed\ndata to accomplish our audit objective, and therefore we did not verify the validity of the\nautomated data processing systems. Finally, we reviewed the implementation of the\nGovernment Performance Results Act of 1993, as it related to the PMFP. In FY 2005,\nNNSA evaluated Sandia\'s performance against the measures identified in Performance\nObjective 8, Appendix 1. This performance objective incorporated Safeguards and.Security\nmilestones associated with completing corrective actions for findings on schedule and\nmeeting MSS deliverables and milestones.\n\nSince no recommendations are being made in this Letter Report, a formal response is not\nrequired. We appreciate the cooperation of your staff during the audit.\n\n\n\n\n                           "" George . Collard\n                              Assistant Inspector General\n                                for Performance Audits\n                             Office of Inspector General\n\ncc: Chief of Staff\n    Director, Office of Safety and Security Performance Assurance, SP-1\n    Director, Policy and Internal Controls Management, NA-66\n    Team Leader, Audit Liaison Team, CF-1.2\n\n\n\n                                     3\n\x0c'